Summary: Add TCP to DNS firewall settings for virtual routers

Detail: TCP is occasionally used for certain DNS query types BUG-ID: CLOUDSTACK-535 Bugfix-for: 4.0.1 Reported-by: Tamas Monos Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1353946670 -0700
2025-11-02 20:02:29 +01:00 · 2012-11-26 09:21:32 -07:00 · 2012-11-26 09:21:32 -07:00 · 82a7e49fad
commit 82a7e49fad
parent ac1920ee9d
5 changed files with 8 additions and 1 deletions
--- a/patches/systemvm/debian/config/etc/iptables/iptables-router
+++ b/patches/systemvm/debian/config/etc/iptables/iptables-router
@ -33,6 +33,7 @@ COMMIT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
--- a/patches/systemvm/debian/config/etc/iptables/rules
+++ b/patches/systemvm/debian/config/etc/iptables/rules
@ -31,6 +31,7 @@ COMMIT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@ -83,8 +83,10 @@ setup_dnsmasq() {
  # setup rules to allow dhcp/dns request
  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
  sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
  sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
  # setup static 
  sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
  echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
@ -40,7 +40,9 @@ iptables_() {
  sudo iptables $op FORWARD -i ppp+ -d $zcidr -j ACCEPT
  sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT 
  sudo iptables $op INPUT -i ppp+ -p udp --dport 53 -j ACCEPT
+  sudo iptables $op INPUT -i ppp+ -p tcp --dport 53 -j ACCEPT
  sudo iptables -t nat $op PREROUTING -i ppp+ -p udp --dport 53 -j DNAT --to-destination $local_ip
+  sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp --dport 53 -j DNAT --to-destination $local_ip
 }

 ipsec_server() {
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@ -49,7 +49,8 @@ iptables_() {
   sudo iptables $op FORWARD -i $subnet_if -o ppp+ -j ACCEPT 
   sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT 
   sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
-   sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j  DNAT --to-destination $subnet_ip
+   sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
+   sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j  DNAT --to-destination $subnet_ip

   if sudo iptables -t mangle -N VPN_$public_ip &> /dev/null
   then